1 Nils gentschen Felde & Felix von EyeOGF28 München, 16.03.2010 The GIDS project A Grid-based,...

1Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010

The GIDS project

A Grid-based, federated Intrusion Detection System to secure the D-Grid

infrastructure

Nils gentschen Felde, Felix von Eye


The MNM Team

Leibniz-Rechenzentrum der Bayerischen Akademieder Wissenschaften


Grid-related projects(excerpt: @LMU)

• European projects – Deployment of Remote Instrumentation Infrastructure (DORII) – Open Grid Forum Europe (OGF-Europe) – European Grid Initiative (EGI) – EMANICS - Management Solutions for Next Generation Networks – g-Eclipse

• German projects – Horizontale Integration des Ressourcen- und Dienst-Monitoring im

D-Grid (D-MON) – Authentication and Authorization Infrastructure for VO Management

(AAI/VO) – Ein Grid-basiertes, föderiertes Intrusion Detection System zur

Sicherung der D-Grid Infrastruktur (GIDS)• Previous research projects

– Interoperabilität und Integration der VO-Management Technologien im D-Grid (IVOM)

– VO-Management im D-Grid – Monitoring und Accounting im D-Grid


44

Project overview

• Partners:

• Associated Partners:

• Start: 01.07.2009• Duration: 36 months• Project leader: LRZ/LMU

– mailto:[email protected]– www.grid-ids.de


Usage scenario of Grids

Intend• Loose coupling of autonomous

providers• Hiding heterogeneity

Functionalities Job-Scheduling Storage ...

Management• User/VO-management• Monitoring• Accounting• ...

Users grouped in Virtual Organizations (VO)

• With respect to scientific affiliation

• Not regarding real organizations any more

Scientific environment

• Generous resource sharing

• Security management neglectedGrid-Middleware

Resource-provider A

Resource-provider B

Resource-provider DResource-

provider C


Security considerations in Grids

Grid-Middleware

Coupling resources

• Abstracted by middleware

• Collaborative use of distributed resources

Security considerations

• Isolated view on domains

• Security is based on trustworthiness of resource providers

Resource-provider A

Resource-provider B


provider C

FW

IDS

Uplink

Admin

Anti-Vir


Grid-Middleware

Resource-provider A

Resource-provider B


provider C

Example: attack scenario

•Break-in at one site suffices

•Access to Grid-middlewareAccess to all resources!

•Example:– Compromised SSH private

key, i.e. well-known SSL vulnerabilities

– Grid-wide login attempts→ inter-organizational!

– Only global event correlation yields success


Goal

• State of the art

– IDS for autonomous systems

– Distributed IDS:

always based on total trust

– No concept of customers

• Now

– Stepping towards a Grid-wide solution

– Conception of an IDS for Grids (GIDS)

• First glance challenges

– Inter-organizational system

– Autonomous partners

– Heterogeneity

– GIDS as a service with user-specific

views

Grid-Middleware

Resource-provider A

Resource-provider B


provider C


Vision: GIDS as a federation

Grid-Middleware

Resource-provider A

Resource-provider B


provider C

• Intent:

– New service in the Grid• Surveying the Grid with

respect to security• Reporting thereof

– Economical use of• The service• The Grid itself

• Idea:

– Grid-wide consolidation of

security-relevant data

– Derivation of security reports


Methodology

Analysis

Architecture design

Prototypical implementatio

n

Evaluation

Conclusion


Analysis: Methodology

•Threat analysis– Attack goals and risks– Classification of possible

attackers• Attack patterns• Origin of attack (positional and

organizational)• Types of attacks in Grids

•Use-case driven requirements analysis

– User groups and customers– Information providers

•Requirements induced by Grids– Generic requirements– Cooperation patterns– Trust relationships

Classes of requirements:

Functional

Non-functional

Security requirements

Organizational and privacy data protection

Requirements related to detection capabilities


Methodology

Analysis

Architecture design

(work in progress)Prototypical implementatio

n

Evaluation

Conclusion


Architecture overview

GIDS-/IDMEF-bus

IDS

GIDS-agent

IDS

GIDS-agent

GIDS-operator

GIDS

GIDS-agent

portal

...

Resource-provider A

Resource-provider X


IDSFW

Resource-provider

agent agent

GIDS-DB

…

Admin

store

data in

filtering

data &reports

aggregation/correlation

data &reports

local (G)IDS-instance storereports in

resp

ort

ing t

o

data &reports

anonymization/pseudonymization

data &reports

data &reports

store dataand reports in

GIDS-agent

GIDS-/IDMEF-bus


Methodology

Analysis

Architecture designPrototypical

implementation

(work in progress) Evaluation

Conclusion


Example:Grid-wide event correlation

•Reminder– Break-in at one site is sufficient– Access to Grid-middleware

Access to all resources!

•Example:– Compromised user account in

context of a VO– VO may use selected resources

•Possibility of detection– Grid-wide event correlation– i.e. faulting login attempts

Resource-provider C

Resource-provider D

Resource-provider BResource-

provider A

Grid-Middleware


Failing login attempts

GIDS-/IDMEF-bus

IDS

GIDS-agent

IDS

GIDS-agent

GIDS-operator

GIDS

GIDS-agent

portal

...

Resource-provider A

Resource-provider X

login-attempt

<?xml version="1.0"?><idmef:IDMEF-Message> <idmef:Alert> <idmef:Analyzer name="syslogd"/> <idmef:Classification text="SSH login attempt"/> <idmef:Source> <idmef:Node> <idmef:Address category="ipv4-addr"> <idmef:address>172.16.112.20</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ip_version="4"> <idmef:port>22</idmef:port> <idmef:protocol>TCP</idmef:protocol> </idmef:Service> </idmef:Source> ... </idmef:Alert></idmef:IDMEF-Message>

has VO-member’sSSH-private-key


Exemplary Dataflow

GIDS-/IDMEF-bus

IDS

GIDS-agent

IDS

GIDS-agent

GIDS-operator

GIDS

GIDS-agent

portal

...

Resource-provider A

Resource-provider X

has VO-member’sSSH-private-key

login-attempt

login-attempt

login-attempt


IDSFW

Correlation

agent agent

GIDS-DB

…

Admin

store

data in

filtering

data &reports

aggregation/correlation

data &reports

local (G)IDS-instance storereports in

resp

ort

ing t

o

data &reports

anonymization/pseudonymization

data &reports

data &reports

store dataand reports in

GIDS-agent

GIDS-/IDMEF-bus

login-attempt

correlation-alarm


Methodology

Analysis

Architecture design


nEvaluation

(→ To be done!)

Conclusion


Methodology

Analysis

Architecture design


n

Evaluation

Conclusion


Conclusion

• Challenge: Conception of an GIDS• Proceeding:

– Analysis: Threats, use cases, requirements induced by Grids

– Design of a generic GIDS architecture– Development of privacy-protection concept– Prototype

→ later: Production ready– Evaluation: Simulation und measurements in D-Grid

• Results:– Catalogue of criteria to evaluate IDS for their use in

Grids– Generic GIDS architecture– Privacy-protection concept– GIDS in production for D-Grid


Further research question

• Management aspects

– Specification of processes as in e.g. ISO20000 or ITIL

– Special challenges in inter-organizational environments• Attack detection

– Which analysis techniques are appropriate in Grids, which

aren’t?

– Implication of dynamics in Grids in regard to attack

detection methods

– Valuable use of additionally available information in Grids

(e.g. (job-)monitoring or VO-management systems)• Compliance

– Enhancing the GIDS by making use of trust-level

management data

Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010

Thank you!

Project details:www.grid-ids.de

Contact:Nils gentschen Felde<[email protected]>

24

1 Nils gentschen Felde & Felix von EyeOGF28 München, 16.03.2010 The GIDS project A Grid-based,...

Documents

Transcript of 1 Nils gentschen Felde & Felix von EyeOGF28 München, 16.03.2010 The GIDS project A Grid-based,...